Paytraq Business Accounts Data and GDPR Complaince
Within the meaning of the GDPR, PayTraq is a data processor. PayTraq provides a software solution that can be used by company (business account owner) for storing and processing their customers information, but PayTraq itself does not acquire or process it on its own. According to GDPR this company (business account owner) is a data controller. See a more detailed definition of the two terms by European Commission here.
The data controller (a company using PayTraq software) is responsible for being compliant with GDPR rules in relation to information about its customers, suppliers, partners and employees.
Under the current EU Data Protection Directive the controller is held liable for data protection compliance, not the processor.
The data controller is responsible for the following and other defined in the GDPR:
1) Personal data must reasonably be up to date and accurate. The processing of inaccurate data is prohibited under the GDPR. Inaccurate data must be corrected. The customer can request inaccurate or outdated data to be rectified.
2) Personal data must be collected and used according to agreed purposes, which the customer (data subject) has been informed of, and has given valid, specific, informed and active consent. If purposes change or new purposes appear, the permission must be asked again. All businesses are required by the GDPR to go over their data and renew or delete customers data in case the customer permissions are not valid under the GDPR.
3) The data has a retention time. The retention time can be either defined by date or condition. When the permission has been revoked by the customer or the lawful right for storing personal data has been lost, the data must be deleted (or in some cases anonymized). In case a defined date for data deletion cannot be applied, the regular review must be applied for the conditions.
4) All the processing – looking, creating, changing, deleting, transferring etc. should be performed only when it is necessary and by specially authorized and trained persons exclusively.
5) The customer must be always be presented with information on data collecting like contact details, purposes, storage period, rights as data subject etc.
6) Any claims filed by the customers must be addressed in 30 days without unnecessary delay.
7) All PayTraq business users, as data controllers, are responsible for the data processing and for the data they store and manage in PayTraq solution.
8) All PayTraq business users, as data controllers, are required to provide the necessary protection from possible personal data breaches outside PayTraq.
Pay attention that, storing sensitive data (also called "special categories of personal data", Art. 9 GDPR "Processing of special categories of personal data") in PayTraq is prohibited. This includes data about health, sexual orientation, racial or ethnic origin, opinions, beliefs, or trade union membership; or biometric data is used for identification purposes.
The GDPR will grant the customer rights over their data and processing:
- Any person has the right to be forgotten. The controller of the data must allow the data to be deleted or anonymized in case the customer asks for it and further data processing has no lawful claims to ignore the customers wish.
- Personal data is portable. The customer has right to ask a copy of the personal data and moves it to another data controller.
- Any person has right to take back the given permissions and to agree only for those purposes which are minimally required to get the service or goods.
Keep in mind that despite that the GDPR gives customers the right to request removal of their data you have the right to retain this information in some cases. If such a request gets submitted, you should ensure that the customer does not have any unpaid obligations or a non-zero balance. A due balance is a valid reason for retaining all customer’s contact information.
Note that the GDPR only regulates handling the information of natural persons, not businesses. A company does not have the right to be forgotten. However, a company’s contact persons do.
PayTraq’s standard functionality is focused on accounting, sales, purchases and inventory. PayTraq does not provide bulk emailing (newsletters, offers) or marketing features. Neither does PayTraq collect personal information — we just provide a software solution for you to enter and store it. Since PayTraq does not have access to personal information entered and stored by business users, we cannot collect or store their customers consents for these data processing purposes. This is the responsibility of your company.